Article Categories

Thursday, October 28, 2010

Yet again we are faced with another critical security advisory for Adobe products. This time the vulnerability affects Adobe Flash Player, Adobe Reader and Adobe Acrobat. From the Adobe Security Advisory:

"This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player."

As described at The Register, the Adobe Reader/Acrobat exploit can install a backdoor trojan known as Wisp, which steals sensitive data and installs a backdoor on compromised systems. The vulnerability in Adobe's Flash Player drops two malicious binaries onto Windows machines that open the document files.

Adobe provided mitigations for all platforms of Adobe Reader/Acrobat customers in the Security Advisory. Personally, I prefer to use an alternate PDF reader and have been satisfied with the performance of Sumatra PDF.

"Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat."

Updates:

An update for Adobe Flash Player is expected by November 9, 2010. Adobe Reader and Acrobat 9.4 are expected to be updated during the week of November 15, 2010.

Wednesday, October 27, 2010

I was rather surprised when the message below rolled up in front of my browser window today.

Apparently, after installing Windows Live Essentials or the Bing Bar, you will be asked if you want to help Microsoft improve their products. Strange that I just got the pop-up today. I have had the Windows Live Essentials on this computer for some time and the Bing Bar was on, off, back on, off, again.

From the "Learn More" link, I discovered that the purpose is to improve Windows Live and the Bing Bar. If you see this "pop-up" it is very important to note a few important points:

Participation is complete voluntary. you can uncheck one, two or all three options.

No data will be collected without your agreement to participate (leave the last box checked).

All collected data is confidential.

What if you decide to opt-out after you agreed to the data collection? You can change the setting for Windows Live Essentials by changing the "Help improve Windows Live" setting in the options of any Windows Live program.

Follow the steps below to stop participating in the Bing Bar program:

Launch your browser.

On the right side of Bing Bar, click the Toolbar options button .

Click Quality, select No, I don't want to participate, and then click OK.

It was just yesterday that Mozilla reported a Critical vulnerability in Firefox 3.5 and Firefox 3.6. As of this posting, although the release notes for Firefox version 3.6.12 are live, the update is not yet available on the servers. (Edit Note: The update is available now.)

Firefox users are advised to follow the instructions below from the Mozilla advisory to disable Javascript and install NoScript.

"Issue:
Mozilla is aware of a critical vulnerability affecting Firefox 3.5 and Firefox 3.6 users. We have received reports from several security research firms that exploit code leveraging this vulnerability has been detected in the wild.

Impact to users:
Users who visited an infected site could have been affected by the malware through the vulnerability. The trojan was initially reported as live on the Nobel Peace Prize site, and that specific site is now being blocked by Firefox’s built-in malware protection. However, the exploit code could still be live on other websites.

Status:
We have diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested.

In the meantime, users can protect themselves by doing either of the following:

One of the forums where I am active had a post asking about Microsoft Security Essentials (MSE) being offered as an optional update via Windows Update. In checking the image posted leads to Microsoft KB Article 2267621 which explains that MSE is being offered as as an optional update to Windows XP, Windows Vista, and Windows 7 users who subscribe to Microsoft Windows Update.

The KB Articles continues to explain:

"If you are not currently running anti-malware software on your computer then you may be vulnerable to spyware, viruses, and other malicious software. Microsoft Security Essentials is free anti-malware software and it is strongly recommended that you download and install it. Microsoft Security Essentials is licensed for use on home PCs and by small businesses with 10 or fewer PCs."

If you do not have an antivirus software installed on your computer, you may elect to install MSE. The software is free for personal use as well as small businesses with ten or fewer PCs.

What do you do if you do not want to install MSE on your computer?

Hide the update. Right-click the update and choose Hide Update. If you later change your mind, on the main Windows Update page, click Restore Hidden Updates. Even if you elect to install MSE on your computer, you will probably want to hide any unneeded language packs.

For problems with Windows Update and other Windows Security settings, consider the appropriate Microsoft Fix it solutions:

Monday, October 25, 2010

For those working behind the scenes, the long-awaited inaugural edition of The Active Geek has been published.

"Driven by a community of tech bloggers and enthusiasts, The Active Geek is the perfect guide for all your tech needs." Sample titles of articles in the inaugural edition of The Active Geek include “Internet Explorer 9 Beta”, “Turn your PC to a home theater”, “Windows 7 Super Guide”, and “Power Up your Office Work with Office 2010”.

Not to be missed is an interview of Robert Margel, the Microsoft Online Site Manager for Windows in the U.K. by Microsoft MVP Lead and The Active Geek editor, Abhishek Baxi. Of course, I hope you also enjoy my article, “Cyber Security, Our Shared Responsibility”.

To celebrate the inaugural edition, over 50 licenses of amazing products from reputed companies are included in a giveaway. To be eligible to participate in the Inaugural Edition Giveaway, subscribe to The Active Geek on or before 20 November 2010. Details about the giveaway are available here.

Thursday, October 21, 2010

Based on the numbers, Windows 7 is both highly acceptable and accepted both by consumers as well as companies. The Windows Team Blog reports that more than 240 million licenses of Windows 7 have been sold.

Another important milestone reported at the Springboard Series Blog is that over 88% of all companies are currently piloting Windows 7 in their organization. Based on what I have seen in the workplace, once Windows 7 has been deployed in the workplace, the employees using it will want it at home as well.

The Springboard Series post included a very thoughtful thank you by Stephen Rose:

"We want to thank all of the Microsoft Most Valuable Professionals (MVPs), STEP members, Tech Bloggers, Newsletter readers, Tweeters, Bus Tour attendees, TechEd and TechDays attendees, journalists, our Talking About Windows and Virtual Roundtable participants, Forum participants and moderators, local and national user group members, and all the IT pros from around the world, who supported us and the Springboard Series on TechNet during this exciting launch year."

You are welcome, Stephen. It is easy to support something you believe in.

Wednesday, October 20, 2010

With the release of Windows Live Essentials 2011, the Microsoft Product Update Team announced that it will be available through Windows Update, starting October 19, 2010. (Note: Windows Live Essentials 2011 is not compatible with Windows XP.)

Windows Vista and Windows 7 users will be offered the update as a "Recommended Update" if any one of the Windows Live software programs are installed.

If you do NOT have any of the Windows Live Essentials programs installed on your computer, it will still be offered but as an "Optional Update". It is not necessary to install if you do not use any of the programs.

Live Mesh is being replaced by Windows Live Mesh. As a result, support for Live Mesh ends March 31, 2011 and the beta will stop working. After that date, you will not be able to access any files stored online in your Live Desktop or connect to your PCs remotely using the Live Mesh software. In addition, your files will also stop syncing between your computers and your Live Mesh online storage.

The system requirements for Windows Live Essentials 2011 are provided in Microsoft KB Article 2434419:

Windows Live Essentials requires the following

Operating system: 32- and 64-bit editions of Windows Vista Service Pack 2 with the Platform Update for Windows Vista; or Windows 7; or Windows Server 2008 with Service Pack 2 and the Platform Update for Windows Server 2008; or Windows Server 2008 R2.

For Photo Gallery and Movie Maker: Some required components of DirectX 9 may be installed for you if they're not already on your computer.

For Windows Live Mesh: To run Windows Live Mesh on a Mac, you must have OS X 10.5 or newer installed. If you already installed an earlier version of Window Live Sync beta or Live Mesh beta, please see the detailed release notes (http://explore.live.com/windows-live-2011-release-notes) for additional requirements.Instructions

Shortly after Oracle released their quarterly update which addressed twenty-nine security flaws in Java SE, a frustrated forum poster asked, "How can I determine if I need Java?" Along with removal instructions, my reply included the following reasons why someone may need Oracle Sun Java installed on their computer:

It used to be that Java was needed for websites to be properly displayed. However, that is generally not the case now with Flash having taken over.

There may be commercial programs that depend on Java. If Java is needed for a software installed on your computer, there should be a prompt for it.

There is no question that the forum poster's question was very timely. As reported by Holly Stewart in a MMPC Blog post, there has been "an unprecedented wave of Java exploitation." The report continues:

"In fact, by the beginning of this year, the number of Java exploits (and by that I mean attacks on vulnerable Java code, not attacks using JavaScript) had well surpassed the total number of Adobe-related exploits we monitored. See chart below for details:

The Java spike in Q3 is primarily driven by attacks on three vulnerabilities, which all, by the way, have had patches available for them for some time now. The first two, in particular, have gone from hundreds of thousands per quarter to millions:

Whether you keep Java or decide to uninstall it from your computer, it is necessary to look not only for the Java(TM) 6 Update (number) but also for any installation with J2SE, Java(TM) 5, or Java(TM) SE Runtime Environment 6. It is also advisable to remove the leftover files in your downloads folder.

In the event you keep Java installed, there should only be the current version in add/remove programs (as of this posting, Java(TM) 6 Update 22, available at Java SE Runtime Environment 6u22).

Since Java updates tend to leave leftovers, JavaRa is recommended. Freð ðe Vries provided notice thatJavaRa has been silently updated to reflect the publication of Oracle's Java JRE 1.6.0.22. Leftovers up to Oracle Sun Java 1.6.0.21 are now cleaned by JavaRa. Simply download JavaRa and unzip it to your desktop.

Double-click on JavaRa.exe to start the program. (Windows Vista and Windows 7 users right-click JavaRa.exe > Select Run as Administrator)

Wednesday, October 13, 2010

Whether you are new to Office 2010 or Windows 7 or have used one or both for a long time, this is your opportunity to "Ask the Experts" questions you have or get help with problems you haven't been able to solve on your own.

Please join the special live chat tomorrow when MVPs will be available to take questions about Microsoft Office 2010 or Office 2007, including Word, Excel, PowerPoint, Outlook, Access, Project, OneNote and more.

In addition to Office, you can ask questions about Windows 7 and Windows Vista. The chat will cover Windows related topics such as upgrading, setup and installation, securing your PC, Internet Explorer, and more.

Volume 9 of the Security Intelligence Report (SIR) has been published. This volume of the SIR covers the first half of 2010 (January 1 - June 30).

Botnets are used for spamming, phishing, denial-of-service attacks, installing malware, click fraud, stealing confidential data and distributing malware. In Volume 9 of the SIR, botnets are the topic for Featured Intelligence.

Tuesday, October 12, 2010

Oracle has released their quarterly update, in total fixing 82 vulnerabilities, of which thirty-one of the flaws affect the Oracle Sun Product Suite. Twenty-nine of the security flaws addressed are in Java SE and Java for Business.

Although Java is not required, if you do have Java installed on your computer, it is strongly advised to install the update as soon as possible.

Once again, AVG's LinkScanner is causing problems. I have spent a considerable amount of time the past couple of days attempting to help someone on a help forum who has been having problems with his browser "Not Responding". I have now learned that the issue is likely attributable to AVG 2011's LinkScanner component.

Technically, it is a form of HTTP hammering with the impact depending on how many users with AVG 2011 access a particular site. That aside, as suggested by Softpedia, browsers will open tens or hundreds of connections in the background and will become unresponsive.

As a result of the above information, if you have AVG 2011 and LinkScanner installed on your computer and you have been experiencing problems, you may wish to consider uninstalling LinkScanner.

By the way, if you need an alternative, my favorite, free-for-personal-use antivirus software is Microsoft Security Essentials.

Microsoft released sixteen (16) bulletins addressing 49 vulnerabilities affecting Windows, Internet Explorer, Microsoft Office, and the .NET Framework. Six bulletins expected are rated Critical, ten are Important and two are Moderate. Three of the bulletins account for 34 of the total vulnerabilities

MS10-073 contains an Important update for Windows XP that addresses a local Elevation of Privilege as part of the two additional Stuxnet related elevate privilege vulnerabilities that were announced in September. It was reported that the second and final issue will be addressed in an upcoming bulletin.

Thursday, October 07, 2010

Last month, Microsoft announced that Microsoft Security Essentials (MSE) will be free to use for organizations with up to ten (10) PCs, with the change being effect early in October. As announced in the Windows Security Blog, the change is effective today, October 7, 2010.

Most small businesses with up to ten PCs do not have dedicated IT support. For those businesses, managing a number of computers can be daunting. For assistance in setting up a group policy for MSE, I recommend this article by Microsoft MVP Alan Burchill, "Group Policy for Microsoft Security Essentials". Alan's article includes illustrated instructions as well as a link to an XML Group Policy Preferences Registry file for the Group Policy settings.

On Tuesday, October 12, 2010, Microsoft is planning to release sixteen (16) bulletins addressing 49 vulnerabilities. These vulnerabilities cover Windows, Internet Explorer, Microsoft Office, and the .NET Framework. As currently anticipated, four of the bulletins are rated Critical, ten are Important and two are Moderate.

Wednesday, October 06, 2010

Adobe Reader and Adobe Acrobat 9.3.4 (and earlier versions) as well as Adobe Reader and Adobe Acrobat 8.2.4 (and earlier versions) for Windows, Mac OS X and UNIX are all vulnerable to the security flaws. The flaws, of which at least one is being actively exploited, could potentially allow a hacker to take control of users' computers.

Acrobat and Reader users can update to the latest version, v. 9.3.4, using the built-in updater, by clicking “Help” and then “Check for Updates.” The Adobe Reader update for Windows is available from here. As usual, the caution to UNCHECK the box shown below. It is not needed for the update!

Sunday, October 03, 2010

Starting today, October 3, you can purchase the Windows 7 Family Pack at participating retailers and online at the Microsoft Store for $149.99. It is important to note that this is a limited time offer. The Family Pack is only available while supplies last.

For families with two or more home computers, the Family Pack is the perfect opportunity to upgrade to Windows 7 and enjoy the security, speed and improved user interface that Windows 7 includes.

Setting up a home network is easy with Windows 7. From the Windows Experience Blog:

Discover the Windows 7 Features and download the Windows 7 Upgrade Advisor today and see if your PC is ready for Windows 7. The Windows 7 Upgrade Advisor. scans your PC for potential issues with your hardware, devices, and installed programs, and provides recommendations of what to do before you upgrade.

The Family pack is currently only available in the United States. The Family Pack will be available for purchase on or after Oct. 22 in the following participating countries:

This year marks the seventh annual National Cyber Security Awareness (NCSA) month. Officially, the National Cyber Security Awareness Month launch will take place tomorrow, October 4, 2010, in Seattle, Washington at the Seattle Public Library.

NCSA provides an opportunity for teachers, businesses, government entities, libraries, as well as bloggers like me to provide tips to help you stay safe and secure online.

With acknowledgment to a tip by fellow Microsoft MVP, Richard Hay, at his website, WindowsObserver.com, I am going to tell you about the Online Safety Calendar, a great new add-on available for Internet Explorer. The add-on is an ideal tool to enhance your cyber security awareness.

Although it is not yet available for Internet Explorer 9 (Beta) or alternate browsers, with the installed Online Safety Calendar add-on, Internet safety tips such as "How to protect yourself from identity theft", "Online shopping safety tips", and more are available at your fingertips. Of particular interest is the wealth of information available to parents for teaching children how they can stay safe online.

Installation of the add-on is easy. Simply go to the download link provided below and save the file. When you run the installer, you will need to agree to the Terms and Conditions of Service. If you are running Windows Vista or Windows 7, accept the UAC elevation prompt for the installation. (Note: The calendar is not currently compatible with IE 9 Beta.)

Restart Internet Explorer when instructed during installation and at the beginning of each month, you will receive a calendar reminder to help you take action on important online safety issues.

It is not necessary to wait for the monthly reminder to get safety tips. You can also access the calendar whenever you want. Simply launch Internet Explorer, click Tools, and then click Online Safety Calendar. Alternatively, click on the Online Safety Calendar icon from the Internet Explorer Command Bar.

Below is a partial screen copy of the calendar information for National Cyber Security Awareness Month:

The Online Safety Calendar was sponsored by Microsoft and developed by ILookBothWays.com. Before starting I Look Both Ways, president and founder Linda Criddle was a 13-year employee of Microsoft where she was a pioneer in online safety for the MSN division.

While I still have your attention, I want to encourage everyone, but particularly parents, to check the helpful information available at iLookBothWays. Under the "Learn Safety" tab are links to articles with advice on how to steer clear of Internet hazards including topics on sending e-mail, dating online, or protecting your children. There are brochures that can be downloaded and educational videos on topics such as "Talking to Kids About Online Safety" and "Protecting Kids on Social Networks".